From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [Xserver 1/1] The xserver module is not in base.
Date: Fri, 3 Sep 2010 12:53:30 +0200 [thread overview]
Message-ID: <20100903105326.GA22748@localhost.localdomain> (raw)
The xserver module is not in base.
That must mean its use is optional.
Move all external xserver interface to optional policy blocks.
Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 5d3d45c... 521f16d... M policy/modules/apps/evolution.te
:100644 100644 cbf4bec... 7266190... M policy/modules/apps/mozilla.te
:100644 100644 815a467... e6dc43a... M policy/modules/apps/mplayer.te
:100644 100644 794c0be... c75a7ce... M policy/modules/apps/thunderbird.te
:100644 100644 1f803bb... 8524075... M policy/modules/apps/vmware.te
:100644 100644 1bdeb16... a4d2bc5... M policy/modules/apps/xscreensaver.te
:100644 100644 0f262a7... ca59bdb... M policy/modules/services/rhgb.te
:100644 100644 e226da4... 5216d19... M policy/modules/services/xserver.te
:100644 100644 8b4f6d8... cf5f157... M policy/modules/system/userdomain.if
policy/modules/apps/evolution.te | 26 +++++++++++++++++---------
policy/modules/apps/mozilla.te | 10 ++++++----
policy/modules/apps/mplayer.te | 6 ++++--
policy/modules/apps/thunderbird.te | 10 ++++++----
policy/modules/apps/vmware.te | 4 +++-
policy/modules/apps/xscreensaver.te | 5 ++++-
policy/modules/services/rhgb.te | 20 +++++++++++---------
policy/modules/services/xserver.te | 2 +-
policy/modules/system/userdomain.if | 30 ++++++++++++++++++------------
9 files changed, 70 insertions(+), 43 deletions(-)
diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
index 5d3d45c..521f16d 100644
--- a/policy/modules/apps/evolution.te
+++ b/policy/modules/apps/evolution.te
@@ -223,9 +223,6 @@ userdom_dontaudit_read_user_home_content_files(evolution_t)
mta_read_config(evolution_t)
-xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t)
-xserver_read_xdm_tmp_files(evolution_t)
-
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(evolution_t)
fs_manage_nfs_files(evolution_t)
@@ -340,6 +337,11 @@ optional_policy(`
spamassassin_dontaudit_getattr_spamd_tmp_sockets(evolution_t)
')
+optional_policy(`
+ xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t)
+ xserver_read_xdm_tmp_files(evolution_t)
+')
+
########################################
#
# Evolution alarm local policy
@@ -385,8 +387,6 @@ userdom_search_user_home_dirs(evolution_alarm_t)
# until properly implemented
userdom_dontaudit_read_user_home_content_files(evolution_alarm_t)
-xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t)
-
# Access evolution home
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(evolution_alarm_t)
@@ -408,6 +408,10 @@ optional_policy(`
nscd_socket_use(evolution_alarm_t)
')
+optional_policy(`
+ xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t)
+')
+
########################################
#
# Evolution exchange connector local policy
@@ -469,8 +473,6 @@ userdom_search_user_home_dirs(evolution_exchange_t)
# until properly implemented
userdom_dontaudit_read_user_home_content_files(evolution_exchange_t)
-xserver_user_x_domain_template(evolution_exchange, evolution_exchange_t, evolution_exchange_tmpfs_t)
-
# Access evolution home
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(evolution_exchange_t)
@@ -488,6 +490,10 @@ optional_policy(`
nscd_socket_use(evolution_exchange_t)
')
+optional_policy(`
+ xserver_user_x_domain_template(evolution_exchange, evolution_exchange_t, evolution_exchange_tmpfs_t)
+')
+
########################################
#
# Evolution data server local policy
@@ -611,8 +617,10 @@ userdom_search_user_home_dirs(evolution_webcal_t)
# until properly implemented
userdom_dontaudit_read_user_home_content_files(evolution_webcal_t)
-xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t)
-
optional_policy(`
nscd_socket_use(evolution_webcal_t)
')
+
+optional_policy(`
+ xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t)
+')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index cbf4bec..7266190 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -143,10 +143,6 @@ sysnet_dns_name_resolve(mozilla_t)
userdom_use_user_ptys(mozilla_t)
-xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
-xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
-xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
-
tunable_policy(`allow_execmem',`
allow mozilla_t self:process { execmem execstack };
')
@@ -266,3 +262,9 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
+
+optional_policy(`
+ xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
+ xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
+ xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
+')
diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
index 815a467..e6dc43a 100644
--- a/policy/modules/apps/mplayer.te
+++ b/policy/modules/apps/mplayer.te
@@ -234,8 +234,6 @@ userdom_read_user_home_content_files(mplayer_t)
userdom_read_user_home_content_symlinks(mplayer_t)
userdom_write_user_tmp_sockets(mplayer_t)
-xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
-
# Read songs
ifdef(`enable_mls',`',`
fs_search_removable(mplayer_t)
@@ -309,3 +307,7 @@ optional_policy(`
pulseaudio_exec(mplayer_t)
pulseaudio_stream_connect(mplayer_t)
')
+
+optional_policy(`
+ xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
+')
diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te
index 794c0be..c75a7ce 100644
--- a/policy/modules/apps/thunderbird.te
+++ b/policy/modules/apps/thunderbird.te
@@ -109,10 +109,6 @@ userdom_manage_user_tmp_sockets(thunderbird_t)
# .kde/....gtkrc
userdom_read_user_home_content_files(thunderbird_t)
-xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
-xserver_read_xdm_tmp_files(thunderbird_t)
-xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
-
# Access ~/.thunderbird
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(thunderbird_t)
@@ -208,3 +204,9 @@ optional_policy(`
mozilla_domtrans(thunderbird_t)
mozilla_dbus_chat(thunderbird_t)
')
+
+optional_policy(`
+ xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
+ xserver_read_xdm_tmp_files(thunderbird_t)
+ xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
+')
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index 1f803bb..8524075 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -278,4 +278,6 @@ userdom_read_user_home_content_files(vmware_t)
sysnet_dns_name_resolve(vmware_t)
sysnet_read_config(vmware_t)
-xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t)
+optional_policy(`
+ xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t)
+')
diff --git a/policy/modules/apps/xscreensaver.te b/policy/modules/apps/xscreensaver.te
index 1bdeb16..a4d2bc5 100644
--- a/policy/modules/apps/xscreensaver.te
+++ b/policy/modules/apps/xscreensaver.te
@@ -41,4 +41,7 @@ userdom_use_user_ptys(xscreensaver_t)
#access to .icons and ~/.xscreensaver
userdom_read_user_home_content_files(xscreensaver_t)
-xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
+optional_policy(`
+ xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
+')
+
diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te
index 0f262a7..ca59bdb 100644
--- a/policy/modules/services/rhgb.te
+++ b/policy/modules/services/rhgb.te
@@ -110,15 +110,6 @@ sysnet_domtrans_ifconfig(rhgb_t)
userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
userdom_dontaudit_search_user_home_content(rhgb_t)
-xserver_read_tmp_files(rhgb_t)
-xserver_kill(rhgb_t)
-# for running setxkbmap
-xserver_read_xkb_libs(rhgb_t)
-xserver_domtrans(rhgb_t)
-xserver_signal(rhgb_t)
-xserver_read_xdm_tmp_files(rhgb_t)
-xserver_stream_connect(rhgb_t)
-
optional_policy(`
consoletype_exec(rhgb_t)
')
@@ -135,6 +126,17 @@ optional_policy(`
udev_read_db(rhgb_t)
')
+optional_policy(`
+ xserver_read_tmp_files(rhgb_t)
+ xserver_kill(rhgb_t)
+ # for running setxkbmap
+ xserver_read_xkb_libs(rhgb_t)
+ xserver_domtrans(rhgb_t)
+ xserver_signal(rhgb_t)
+ xserver_read_xdm_tmp_files(rhgb_t)
+ xserver_stream_connect(rhgb_t)
+')
+
ifdef(`TODO',`
#this seems a bit much
allow domain rhgb_devpts_t:chr_file { read write };
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index e226da4..5216d19 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -494,7 +494,7 @@ tunable_policy(`use_samba_home_dirs',`
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-# xserver_rw_session_template(xdm,userdomain)
+ # xserver_rw_session_template(xdm,userdomain)
',`
userdom_xsession_spec_domtrans_unpriv_users(xdm_t)
# FIXME:
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 8b4f6d8..cf5f157 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -431,16 +431,18 @@ template(`userdom_xwindows_client_template',`
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
- xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
- xserver_xsession_entry_type($1_t)
- xserver_dontaudit_write_log($1_t)
- xserver_stream_connect_xdm($1_t)
- # certain apps want to read xdm.pid file
- xserver_read_xdm_pid($1_t)
- # gnome-session creates socket under /tmp/.ICE-unix/
- xserver_create_xdm_tmp_sockets($1_t)
- # Needed for escd, remove if we get escd policy
- xserver_manage_xdm_tmp_files($1_t)
+ optional_policy(`
+ xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
+ xserver_xsession_entry_type($1_t)
+ xserver_dontaudit_write_log($1_t)
+ xserver_stream_connect_xdm($1_t)
+ # certain apps want to read xdm.pid file
+ xserver_read_xdm_pid($1_t)
+ # gnome-session creates socket under /tmp/.ICE-unix/
+ xserver_create_xdm_tmp_sockets($1_t)
+ # Needed for escd, remove if we get escd policy
+ xserver_manage_xdm_tmp_files($1_t)
+ ')
')
#######################################
@@ -881,8 +883,6 @@ template(`userdom_restricted_xwindows_user_template',`
logging_send_audit_msgs($1_t)
selinux_get_enforce_mode($1_t)
- xserver_restricted_role($1_r, $1_t)
-
optional_policy(`
alsa_read_rw_config($1_t)
')
@@ -907,6 +907,10 @@ template(`userdom_restricted_xwindows_user_template',`
optional_policy(`
setroubleshoot_dontaudit_stream_connect($1_t)
')
+
+ optional_policy(`
+ xserver_restricted_role($1_r, $1_t)
+ ')
')
#######################################
@@ -2674,6 +2678,7 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
')
xserver_xsession_spec_domtrans($1, userdomain)
+
allow userdomain $1:fd use;
allow userdomain $1:fifo_file rw_file_perms;
allow userdomain $1:process sigchld;
@@ -2720,6 +2725,7 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
')
xserver_xsession_spec_domtrans($1, unpriv_userdomain)
+
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
--
1.7.2.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100903/cfc0799d/attachment.bin
next reply other threads:[~2010-09-03 10:53 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-03 10:53 Dominick Grift [this message]
2010-09-03 14:59 ` [refpolicy] [Xserver 1/1] The xserver module is not in base Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100903105326.GA22748@localhost.localdomain \
--to=domg472@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.